Ubuntu
kdelibs package

CAN-2004-1171: plain text password exposure

Bug #11114 reported by Debian Bug Importer
10
Affects Status Importance Assigned to Milestone
kdelibs (Debian)
Fix Released
Unknown
kdelibs (Ubuntu)
Fix Released
High
Andreas Mueller

Bug Description

Automatically imported from Debian bug report #285126 http://bugs.debian.org/285126

See original description

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #285126 http://bugs.debian.org/285126

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 14:45:15 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: CAN-2004-1171: plain text password exposure

--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: kdelibs, kdebase
Version: 3.3.2
Tags: security, patch
Severity: serious

CAN-2004-1171 is about a security hole in KDE that allows for possible
passoword leakage:

  KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1)
  manually entered by the user or (2) created by the SMB protocol handler, =
stores
  those credentials for in plaintext in the user's .desktop file, which may=
 be
  created with world-readable permissions, which could allow local users to
  obtain usernames and passwords for remote resources such as SMB shares.

Note that this will need to be fixed in both the version in unstable
and the older version in testing via t-p-u. This page has details of the
hole and links to patches for all recent versions of KDE:

http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D110261063201488&w=3D2

--=20
see shy jo

--zYM0uCDKw75PZbzx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBufzKd8HHehbQuO8RAsdTAKDBGhtjlJgCmuToYgD+VvEgyGqaHACgupI0
tHTYFM4JJq9i7f6z2g39Jpc=
=usXq
-----END PGP SIGNATURE-----

--zYM0uCDKw75PZbzx--

Revision history for this message
In , Dato Simó (dato) wrote : Re: Bug#285126: CAN-2004-1171: plain text password exposure

* Joey Hess [Fri, 10 Dec 2004 14:45:15 -0500]:
> Package: kdelibs, kdebase
> Version: 3.3.2
> Tags: security, patch
> Severity: serious

> CAN-2004-1171 is about a security hole in KDE that allows for possible
> passoword leakage:

  I've prepared kdelibs and kdebase uploads for this. I'm now looking
  for somebody to upload them for me.

--
Adeodato Simó
    EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
    Listening to: The Beatles - Get back

When it is not necessary to make a decision, it is necessary not to make
a decision.

Revision history for this message
In , Joey Hess (joeyh) wrote :

Adeodato Simó wrote:
> I've prepared kdelibs and kdebase uploads for this. I'm now looking
> for somebody to upload them for me.

Are you one of the normal KDE maintainers? (Sorry, I'm not up-to-date on
KDE maintenance.) If so, I can do the sponsoring.

--
see shy jo

Revision history for this message
In , Dato Simó (dato) wrote :

* Joey Hess [Fri, 10 Dec 2004 17:38:29 -0500]:
> Adeodato Simó wrote:
> > I've prepared kdelibs and kdebase uploads for this. I'm now looking
> > for somebody to upload them for me.

> Are you one of the normal KDE maintainers? (Sorry, I'm not up-to-date on
> KDE maintenance.) If so, I can do the sponsoring.

  let's say I'm becoming an habitual. as for sponsoring, I just talked
  to Riku Voipio and he'll be reviewing and uploading tomorrow, is that
  ok with you?

  in any case, thanks for your offer.

--
Adeodato Simó
    EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
    Listening to: Oasis - Hello

Everything you read in newspapers is absolutely true, except for that
rare story of which you happen to have first-hand knowledge.
                -- Erwin Knoll

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 23:02:47 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#285126: CAN-2004-1171: plain text password exposure

* Joey Hess [Fri, 10 Dec 2004 14:45:15 -0500]:
> Package: kdelibs, kdebase
> Version: 3.3.2
> Tags: security, patch
> Severity: serious

> CAN-2004-1171 is about a security hole in KDE that allows for possible
> passoword leakage:

  I've prepared kdelibs and kdebase uploads for this. I'm now looking
  for somebody to upload them for me.

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
    Listening to: The Beatles - Get back

When it is not necessary to make a decision, it is necessary not to make
a decision.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 17:38:29 -0500
From: Joey Hess <email address hidden>
To: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#285126: CAN-2004-1171: plain text password exposure

--7AUc2qLy4jB3hD7Z
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Adeodato Sim=F3 wrote:
> I've prepared kdelibs and kdebase uploads for this. I'm now looking
> for somebody to upload them for me.

Are you one of the normal KDE maintainers? (Sorry, I'm not up-to-date on
KDE maintenance.) If so, I can do the sponsoring.

--=20
see shy jo

--7AUc2qLy4jB3hD7Z
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBuiVkd8HHehbQuO8RAhTUAJ9cyT5dmUlkZPzrFnnJIaWFkOGUogCZASvL
nOoEgmPBO5k5jvVjnhGy+Yw=
=WeGX
-----END PGP SIGNATURE-----

--7AUc2qLy4jB3hD7Z--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 23:42:22 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Cc: Riku Voipio <email address hidden>
Subject: Re: Bug#285126: CAN-2004-1171: plain text password exposure

* Joey Hess [Fri, 10 Dec 2004 17:38:29 -0500]:
> Adeodato Sim�ote:
> > I've prepared kdelibs and kdebase uploads for this. I'm now looking
> > for somebody to upload them for me.

> Are you one of the normal KDE maintainers? (Sorry, I'm not up-to-date on
> KDE maintenance.) If so, I can do the sponsoring.

  let's say I'm becoming an habitual. as for sponsoring, I just talked
  to Riku Voipio and he'll be reviewing and uploading tomorrow, is that
  ok with you?

  in any case, thanks for your offer.

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
    Listening to: Oasis - Hello

Everything you read in newspapers is absolutely true, except for that
rare story of which you happen to have first-hand knowledge.
                -- Erwin Knoll

Revision history for this message
In , Dato Simó (dato) wrote :

tag 285126 sarge
stop here

* Joey Hess [Fri, 10 Dec 2004 14:45:15 -0500]:
> Package: kdelibs, kdebase
> Version: 3.3.2
> Tags: security, patch
> Severity: serious

> CAN-2004-1171 is about a security hole in KDE that allows for possible
> passoword leakage:

  hi,

    kdelibs 3.3.1-2 and kdebase 3.3.1-3 have been uploaded to sid,
    fixing the problem.

    there is no 3.2 upload to t-p-u planned, since the KDE 3.3 testing
    transition has now RMs' approval and we're putting our efforts in it
    happening soon.

    thanks,

--
Adeodato Simó
    EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

The pure and simple truth is rarely pure and never simple.
                -- Oscar Wilde

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 11 Dec 2004 20:59:27 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#285126: CAN-2004-1171: plain text password exposure

tag 285126 sarge
stop here

* Joey Hess [Fri, 10 Dec 2004 14:45:15 -0500]:
> Package: kdelibs, kdebase
> Version: 3.3.2
> Tags: security, patch
> Severity: serious

> CAN-2004-1171 is about a security hole in KDE that allows for possible
> passoword leakage:

  hi,

    kdelibs 3.3.1-2 and kdebase 3.3.1-3 have been uploaded to sid,
    fixing the problem.

    there is no 3.2 upload to t-p-u planned, since the KDE 3.3 testing
    transition has now RMs' approval and we're putting our efforts in it
    happening soon.

    thanks,

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

The pure and simple truth is rarely pure and never simple.
                -- Oscar Wilde

Revision history for this message
Andreas Mueller (amu) wrote :

the bugs are already solved in the current warty and hoary version.

Cheers
amu

Revision history for this message
In , coldtobi (tobi-coldtobi) wrote : kdelibs: Is this buf fixed? (And can be closed?)

Package: kdelibs
Version: 4:3.3.1-4
Followup-For: Bug #285126

Again, sorry for nagging:

I read the changelog of kdelibs and kdebase and found out, that the bug
should be resolved...

Here the changelog-snips (shortened):

kdebase (4:3.3.1-3) unstable; urgency=medium

  * Include patch to fix CAN-2004-1171 ("plain text password exposure").
      Closes half of #285126.

       -- Adeodato Simó <email address hidden> Fri, 10 Dec 2004 22:28:25
       +0100

kdelibs (4:3.3.1-2) unstable; urgency=medium

  * Include patch to fix CAN-2004-1171 ("plain text password exposure").
      Closes half of #285126. Notes about the patches:

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages kdelibs depends on:
ii kdelibs-bin 4:3.3.1-4 KDE core binaries
ii kdelibs-data 4:3.3.1-4 KDE core shared data
ii kdelibs4 4:3.3.1-4 KDE core libraries

-- no debconf information

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Mon, 03 Jan 2005 17:58:04 +0100
From: coldtobi <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: kdelibs: Is this buf fixed? (And can be closed?)

Package: kdelibs
Version: 4:3.3.1-4
Followup-For: Bug #285126

Again, sorry for nagging:

I read the changelog of kdelibs and kdebase and found out, that the bug
should be resolved...

Here the changelog-snips (shortened):

kdebase (4:3.3.1-3) unstable; urgency=medium

  * Include patch to fix CAN-2004-1171 ("plain text password exposure").
      Closes half of #285126.

       -- Adeodato Simó <email address hidden> Fri, 10 Dec 2004 22:28:25
       +0100

kdelibs (4:3.3.1-2) unstable; urgency=medium

  * Include patch to fix CAN-2004-1171 ("plain text password exposure").
      Closes half of #285126. Notes about the patches:

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages kdelibs depends on:
ii kdelibs-bin 4:3.3.1-4 KDE core binaries
ii kdelibs-data 4:3.3.1-4 KDE core shared data
ii kdelibs4 4:3.3.1-4 KDE core libraries

-- no debconf information

Revision history for this message
In , Dato Simó (dato) wrote : Re: Bug#286510: kdelibs: Is bug resolved and can be closed?

* coldtobi [Mon, 03 Jan 2005 17:51:42 +0100]:

> So maybe this bug can be closed, and make the path a little more free
> for the testing scripts?

> --- snip of changelog kdelibs --
> kdelibs (4:3.3.1-3) unstable; urgency=high

> * Added patch to fix half of Konqueror Window Injection
> * Vulnerability
> CAN-2004-115. kdebase upload will fix the rest.

> -- Riku Voipio <email address hidden> Mon, 13 Dec 2004 18:53:21 +0000

> --- end of snip ---

> kdebase (4:3.3.1-3) unstable; urgency=medium

> * Include patch to fix CAN-2004-1171 ("plain text password exposure").
> Closes half of #285126.

> -- Adeodato Simó <email address hidden> Fri, 10 Dec 2004 22:28:25
> +0100

> kdelibs (4:3.3.1-2) unstable; urgency=medium

> * Include patch to fix CAN-2004-1171 ("plain text password exposure").
> Closes half of #285126. Notes about the patches:

  in all cases, the bug remains open because sarge is still vulnerable.
  in all cases, the bug has the 'sarge' tag set, so they don't affect
  the tranisition to sarge. these bugs will be closed as soon as KDE 3.3
  enters testing, which should happen durin this week.

  thanks for caring, anyway.

--
Adeodato Simó
    EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
    Listening to: David Bowie - If I'm dreaming my life

Faced with the choice between changing one's mind and proving that there
is no need to do so, almost everyone gets busy with the proof.
                -- J.K. Galbraith

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 3 Jan 2005 18:55:25 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: coldtobi <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: Bug#286510: kdelibs: Is bug resolved and can be closed?

* coldtobi [Mon, 03 Jan 2005 17:51:42 +0100]:

> So maybe this bug can be closed, and make the path a little more free
> for the testing scripts?

> --- snip of changelog kdelibs --
> kdelibs (4:3.3.1-3) unstable; urgency=high

> * Added patch to fix half of Konqueror Window Injection
> * Vulnerability
> CAN-2004-115. kdebase upload will fix the rest.

> -- Riku Voipio <email address hidden> Mon, 13 Dec 2004 18:53:21 +0000

> --- end of snip ---

> kdebase (4:3.3.1-3) unstable; urgency=medium

> * Include patch to fix CAN-2004-1171 ("plain text password exposure").
> Closes half of #285126.

> -- Adeodato Simó <email address hidden> Fri, 10 Dec 2004 22:28:25
> +0100

> kdelibs (4:3.3.1-2) unstable; urgency=medium

> * Include patch to fix CAN-2004-1171 ("plain text password exposure").
> Closes half of #285126. Notes about the patches:

  in all cases, the bug remains open because sarge is still vulnerable.
  in all cases, the bug has the 'sarge' tag set, so they don't affect
  the tranisition to sarge. these bugs will be closed as soon as KDE 3.3
  enters testing, which should happen durin this week.

  thanks for caring, anyway.

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
    Listening to: David Bowie - If I'm dreaming my life

Faced with the choice between changing one's mind and proving that there
is no need to do so, almost everyone gets busy with the proof.
                -- J.K. Galbraith

Revision history for this message
In , Steve Langasek (vorlon) wrote : KDE 3.3.1 in sarge, closes many RC bugs

tags 285126 -sarge
tags 271256 -sarge
tags 285126 -sarge
tags 252670 -sarge
tags 278173 +sid
tags 253701 -sarge
tags 247243 -sarge
thanks

KDE 3.3 has been accepted into testing and should be visible from the
mirrors starting tomorrow. I believe all of these RC bugs can therefore be
closed.

Many thanks to the KDE team for their efforts in making this happen, and to
Anthony Towns for handholding britney through the transition.

--
Steve Langasek
postmodern programmer

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 3 Jan 2005 21:59:38 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: KDE 3.3.1 in sarge, closes many RC bugs

--m1UC1K4AOz1Ywdkx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tags 285126 -sarge
tags 271256 -sarge
tags 285126 -sarge
tags 252670 -sarge
tags 278173 +sid
tags 253701 -sarge
tags 247243 -sarge
thanks

KDE 3.3 has been accepted into testing and should be visible from the
mirrors starting tomorrow. I believe all of these RC bugs can therefore be
closed.

Many thanks to the KDE team for their efforts in making this happen, and to
Anthony Towns for handholding britney through the transition.

--=20
Steve Langasek
postmodern programmer

--m1UC1K4AOz1Ywdkx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB2jDGKN6ufymYLloRAvK1AKCt069o1WpYMZLD2v/FBkFDeD+9HQCfclW7
9IlwTEOC5hGQTBoHmwTUHYQ=
=GV3v
-----END PGP SIGNATURE-----

--m1UC1K4AOz1Ywdkx--

Bug Watch Updater (bug-watch-updater)
Changed in kdelibs:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.